Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Siemens Not Ruling Out Future Attacks Exploiting Global Private Keys for PLC Hacking

Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot rule out malicious exploitation in the future.

Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot rule out malicious exploitation in the future.

Details were disclosed on Tuesday by industrial cybersecurity firm Claroty, whose researchers have been looking into ways to achieve native code execution on programmable logic controllers (PLCs).

Siemens PLC hardcoded private keyThe vulnerability is tracked as CVE-2022-38465 and it has been rated ‘critical’. Siemens has announced the availability of fixes for affected PLCs and the TIA Portal in one of its Patch Tuesday advisories.

Siemens has also released a separate security bulletin highlighting the vulnerability. According to the company, in 2013, it introduced asymmetric cryptography into the security architecture of its Simatic S7-1200 and S7-1500 CPUs in an effort to protect devices, customer programs, and communications between devices.

However, due to the lack of practical solutions for dynamic key management and key distribution for industrial control systems (ICS), at the time it decided to use a built-in global private key for protection.

Siemens has confirmed the findings of Claroty researchers, admitting that the cryptographic key is not properly protected. An attacker could launch an offline attack against a single PLC and obtain a private key that can then be used to compromise the entire product line for which the key was obtained.

The attacker can then obtain sensitive configuration data or launch man-in-the-middle (MitM) attacks that enable them to read or modify data between the PLC and its connected HMIs and engineering workstations.

Claroty researchers said they obtained the private key by exploiting an arbitrary code execution vulnerability they discovered in 2020 (CVE-2020-15782), which gave them direct memory access. They have shown how an attacker who has the private key could gain full control of a PLC and conduct MitM attacks.

ICS Cyber Security Conference

“Siemens is not aware of related cybersecurity incidents but considers the likelihood of malicious actors misusing the global private key as increasing,” Siemens warned.

Advertisement. Scroll to continue reading.

The industrial giant has made significant changes to address the issue, with a unique password being set for each device and communications now being protected by TLS 1.3.

The company has released firmware updates, but noted that updating the firmware on a device is not sufficient.

“In addition, the hardware configuration in the TIA Portal project (V17 or later) must also be updated to the corresponding CPU version and downloaded to the PLC,” it told customers.

Related: New Vulnerabilities Can Allow Hackers to Remotely Crash Siemens PLCs

Related: New Vulnerabilities Allow Stuxnet-Style Attacks Against Rockwell PLCs

Related: Several Horner PLC Software Vulnerabilities Allow Code Execution via Malicious Font Files

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.